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IMPROVED PASSWORD ENTRY 

Field of the Invention 

The invention relates to the entry of passwords, codes or 
identification numbers into data processing systems, Automated Teller 
Machines, locks or other security or access control devices. More 
particularly, the invention relates to the checking of the rhythm and tempo 
used for entry of the password, code or identification number. 

Background of the Invention 

IBM Technical Disclosure Bulletin v. 30, n.5, October 1987, p. 258, 
"Passwords for Computer Systems and Cipher Locks Containing Rhythm 
Patterns" discloses the use of a password with timing constraints such as 
the pauses between key-presses or the duration of the key-press being 
added. The pauses or duration are predefined and may be either "long" or 
short" and may be either relative to each other or absolute values. 

US Patent 4,621,334 discloses a personal identification apparatus in 

which a mean time between keystrokes is used to determine whether a person, 

attempting to gain access is the person who should be granted access to the 
system. 

US Patent 4,805,222 discloses a method of verifying a person's 

identity by measuring the average inter-character time between successive 
pairs of keystrokes and comparing this with a pre-stored sample. 

US Patent 5,557,686 discloses a user verification system in which 
vectors are constructed from user inputted samples and a neural network is 
used to determine whether the user inputted samples are similar to a sample 
entered for user verification. 

US Patent 5,721,765 discloses a security system in which digits of an 
identification number are separated into two or more groups that must be 
entered with a predetermined time delay between each of the two or more 
groups . 

US Patent 6,151,593 discloses a neural network which compares a 
timing vector extracted from the keystrokes a user has typed in with a 
training set to authenticate the identity of the user. 

It would be desirable to allow entry of a password, code or 
identification number according to a rhythm and tempo defined by the user 
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unique identifier, but also that authentication is not given when the 
unique identifier is not entered by the authorised user. 

In a variation of the preferred embodiment, said predetermined 
5 tolerance is explicitly set by the user. In some applications, it may be 

determined that a particular tolerance should be used and that the user 
should achieve this tolerance in order for the unique identifier to be 
accepted. For example, if during entry of the reference unique identifier, 
there is a large variation in the relative or absolute values of the 
10 inter-keystroke intervals, then that would allow future entry of the unique 

identifier with a large tolerance. It may be desirable to limit the 
tolerance or to explicitly set the tolerance. 
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The invention also provides a computer program comprising computer 
program code means adapted to perform the steps of any one of the methods 
described above. 

Brief Description of the Drawings 

The invention will now be described, by way of example only, with 
reference to the accompanying drawings, in which: 



Figure 1 is a flow diagram of a learning mode of an embodiment of the 
present invention; 

Figure 2 is a screen image at step 102 of figure 1; 
Figure 3 is a screen image after step 104 of figure 1; 
Figure 4 is a screen image after step 106 of figure 1; 
Figure 5 is a screen image of the error indication displayed at step 
110 of figure 1; 

Figure 6 is a flow diagram of a secure mode of an embodiment of the 
present invention; 

Figure 7 is a screen image of the error indication displayed at step 
614 of figure 6; 

Figure 8 is a screen image of the error indication displayed at step 
35 610 of figure 6; 

Figure 9 is a screen image of the error indication displayed at step 
618 of figure 6; and 

Figure 10 is a screen image of the tempo checking portion of the 
present invention. 



Detailed Description of the Invention 



When a password, code or identification number is entered into a 
system by a user, there is typically a rhythm associated with the entry of 
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consists of. in alternative embodiments, this first entry of the password 
could be used as part of the learning process. 

At step 106 of figure 1, a second entry of the password is made. 
Figure 4 shows a screen shot taken after the second entry of the password 
has been made. As each character of the password is entered, it is 
displayed in the message box 214 with the elapsed time interval between 
entry of each character in ms shown. Additionally, an acceptable range of 
time intervals computed using the rhythm tolerance may be shown. In the 
example of figure 4, this is not shown until a third entry of the password 
had been made, although this is not an essential feature of the invention 
and it could be shown after a first entry, or a second entry or a 
subsequent entry of the password. 

When the Enter key or another key representing completion of the 
password entry process is pressed, then processing moves to step 108 of 
figure 1. If the second entry of the password matched the first entry of 
the password, the words "Password accepted." are displayed and the learn 
count window 218 now displays a learn count of 1. Processing moves to step 
112 of figure 1 where an acceptable range of rhythm values is set. As an 
example, the message window of a subsequent entry might show: 



■f« (0 ms) [Range: 0 -> 0] PASS 
'r' (265 ms) [153 -> 253] FAIL (Slow) 
25 'e« (203 ms) [153 -> 253] PASS 

'd' (157 ms) [117 -> 195] PASS 
Password accepted . 



In the example above, the acceptable rhythm range has been set 
between 153 ms and 253 ms for the time interval between entry of »f" and 
"r", that is the time interval for the initial entry with a 25% tolerance 
applied. Similarly, for the time interval between entry of "r" and "e" and 
for "e" and "d", where the ranges are 153 ms to 253 ms and 117 to 195 ms 
respectively. The time interval between entry of "f " and "r" was outside 
3 5 the acceptable range and so failed for that entry. The time intervals 

between entry of "r" and "e" and for "e" and "d" were within the acceptable 
ranges for those time intervals and so passed for those entries. 



If the second entry of the password does not match the first entry of 
the password, processing passes to step 110 of figure 1. Figure 5 shows a 
screen shot taken after an incorrect second entry of the password has been 
made. The words "Password text incorrect." and "Password not accepted." 
are displayed in the message window 214 and the learn count displayed in 
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accepted" messages are displayed in the message box (214 in figure 9) and 
an indication (802 in figure 9) is provided that the password is not 
accepted. Processing returns to step 606 to accept the entry of password. 
If all of the time intervals fall within the acceptable ranges, then at 
step 620 the password is accepted and a -Password accepted" message is 
displayed in the message box (214 in figure 7) and an indication (702 in 
figure 7) is displayed that the password is accepted. 

In addition to checking the rhythm of entry of the password, the 
tempo is checked. In the context of this patent application, tempo is 
taken to mean relative measures of the time interval between the entry of 
each character or number of a password, code or identification number. 
That is, for example, if the characters being entered are "f red" , then the 
interval between entering "f" and "r« might be 203 mS, the interval between 
entering »r» and »e" might also be 203 mS and the interval between entering 
»e" and »d« might be 156 mS. The first inter-character interval, that is, 
the interval between entering "f" and "r", may be used as an "anchor" for 
checking the relative timing for the rest of the password. The second and 
subsequent inter- character intervals are divided by this first interval to 
give values for the tempo. So the Tempo value for the interval between 
entering "r" and "e" would be 203 mS divided by 203 mS, that is 1.00 and 
the Tempo value for the interval between entering "e" and "d" might be 156 
mS divided by 203 mS, that is 0.77. In an alternative embodiment, the 
average of the inter-character intervals may be used as an "anchor" . 

Also, in the context of this patent application. Tempo Tolerance is 
taken to mean the variation from these Tempo (relative) values that are 
permitted for the rhythm of the entry of the password, code or 
identification number to be accepted. For example, using the intervals 
mentioned above, with a Tempo Tolerance of 25%, a Tempo value of 0.75 to 
1.25 (1.00 plus or minus 25%) might be acceptable for the interval between 
entering "r" and "e" and a range of 0.58 to 0.96 (0.77 plus or minus 25%) 
might be acceptable for the interval between entering "e" and "d" . 

As for the rhythm aspect of password entry, the system into which the 
password is entered must learn the tempo associated with a password when it 
is first entered. The system does this by using a Learning Mode and a 
Secure Mode in which the password is entered and the tempo is learnt. 

Figure 10 shows a program window 1000 with a window title 202 of 
"Reference Password: "f red" . A Rhythm Tolerance slider 204 is set to an 
initial value of 25% and a Tempo Tolerance slider 1002 is set to an initial 
value of 25%. Tick-box 1004 is included to enable Tempo checking. Message 
window 214 shows the elapsed time interval between entry of each character 



GB920020044GBI 



9 



CLAIMS 

1. A method of authenticating a user comprising the steps of: 

providing, by the user, a unique identifier, the unique identifier 
comprising both a sequence of keystrokes and the inter-keystroke intervals 
associated with provision of those keystrokes; 

comparing the unique identifier provided by the user with a reference 
unique identifier by: 

comparing the absolute inter-keystroke intervals of the unique 
identifier with the absolute inter-keystroke intervals of the 
reference unique identifier and returning a true indication if the 
absolute inter-keystroke interval of the unique identifier is within 
a predetermined tolerance of the absolute inter-keystroke interval of 
the reference identifier; 

comparing the relative inter-keystroke intervals of the unique 
identifier with the relative inter-keystroke intervals of the 
reference unique identifier and returning a true indication if the 
relative inter-keystroke interval of the unique identifier is within 
a predetermined tolerance of the relative inter-keystroke interval of 
the reference identifier; 

authenticating said user if both said absolute comparison step and 
said relative comparison step return a true indication. 

2. A method as claimed in claim 1, wherein said relative inter-keystroke 
intervals are the ratio of the inter-keystroke intervals and the 
inter-keystroke interval between entry of the first of . said sequence of 
keystrokes and the second of said sequence of keystrokes. 

3. A method as claimed in claim 1, further comprising the step of entry 
by the user of the reference unique identifier and wherein said 
predetermined tolerance is determined during said step of entry by the user 
of the reference unique identifier. 

4 . A method as claimed in claim 3 wherein said predetermined tolerance 
is explicitly set by the user. 

5. A computer program comprising computer program code means adapted to 
perform the steps of any one of claim 1 to claim 4 . 
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